In an MLS environment, after defining and creating security levels and categories in the system, an authorized security administrator can define the security labels that will be assigned to users, data sets and resources.
The SECLABEL Data Record defines the value of a security label. You must define this record before you can assign the security label to users, data sets and resources.
Important! If you change or delete an existing security label, (for example, MLS Seclabel data record) that has been assigned to users or resources, you may get unexpected results during MLS validation. Before changing or removing a security label from the system, check whether it has been assigned to any users or resources. If it has, confirm that the change or deletion is intended. If it is, make any necessary changes to user acids and MLS resource records that are using the security label. Likewise, if you delete a security level or category that is used in any existing security label, before removing the level or category from the system, confirm that the deletion is intended. If it is, make any necessary changes to existing security labels, and any user acids and MLS resource records that are using the security labels.
The format of this command is:
TSS ADD|REMOVE(MLS) SECLABEL(seclabel)
SECLEVEL(seclevel)
[CATEGORY(category1,…category50)]
[SYSID(sysid1,…sysidn)]
(Required) Specifies the alphanumeric-national character name of a security label. The security label cannot start with the letters 'SYS'. Security labels that begin with 'SYS' are reserved for existing or future system-defined security labels.
Range: 1 to 8 bytes
Note: To assign a security label to a resource, the security label record ID must be specified in the SECLABEL field of an MLS resource record. To assign the security label to a user, the security label record ID must be specified in the SECLABEL or DFLTSLBL field of a User acid record.
(Required) Specifies the security level which is the record ID of an existing MLS SECLEVEL Record. The security level must be a number between 1 and 254 without leading zeros.
Range: 1 to 3 characters
Important! Any seclevel specified must be a valid MLS SECLEVEL Record defined in the system. Otherwise, this security label will be ignored by the system at the time the security classification tables are built and any users or resources that have been assigned this security label and try to use it will be not be able to.
Specifies the alphanumeric names of 1 to 50 categories that are the record IDs of existing MLS CATEGORY records. This field is optional. A comma or blank is the only valid delimiter between specified categories.
Range: 1 to 32 characters
Notes:
Specifies one or more alphanumeric system IDs on which this security label can be used, if the MLS option for use of system-specific security labels is active (MLSECBYS). However, if the option is inactive, this field is ignored during MLS validations, and this security label can be used on any system. This field is optional and can be masked by using asterisk(*) or dash(-) masking characters. If no system IDs are specified, by default, the security label will apply to all systems. A comma or blank is the only valid delimiter between specified system IDs.
Note: You must specify the TSS control option MLSECBYS(YES) to limit the use of security labels to certain systems.
Range: 1 to 4 characters
CA Top Secret provides the following system-defined security labels which are internal to CA Top Secret and can never be directly created or modified by a user but can only be assigned to users, data sets, and resources:
The highest security label in any system. It is comprised of the highest level in the system and all categories. Therefore, it dominates all security labels.
The lowest security label in any system. It is comprised of the lowest level in the system and no categories. Therefore, all security labels dominate it.
A security label used in a system when write-down is not allowed. It should be assigned only to non-sensitive data and resources to which everyone, regardless of their security label, must have access, such as catalogs. It compares equivalent to any other security label. This security label cannot be assigned to users.
A security label that is equivalent to all other defined security labels. It should be assigned only to servers that can properly isolate users and data based on security labels or UNIX directories that contain subdirectories and files at different security levels. This security label is usually not assigned to users, but there are some exceptions.
To create a SECLABEL Record, enter:
TSS ADD(mls) SECLABEL(labelaaa)
SECLEVEL(150)
CATEGORY(humanresources,finance,sales)
To create a SECLABEL Record, enter:
TSS ADD(mls) SECLABEL(labelaaa)
SECLEVEL(150)
CATEGORY(humanresources,finance,sales)
After a SECLABEL record is defined, additional categories and/or sysid's may be added. To change the record, enter:
TSS ADD(mls) SECLABEL(labelaaa)
SECLEVEL(50)
SYSID(sysa)
To delete a SECLABEL Record, enter:
TSS REMOVE(mls) SECLABEL(labelaaa)
|
Copyright © 2010 CA Technologies.
All rights reserved.
|
|